=== Security Headers Manager ===
Contributors: snehalpancholi
Tags: security headers, CSP, HSTS, X-Frame-Options, HTTP headers, security
Requires at least: 6.0
Tested up to: 6.7
Requires PHP: 8.1
Stable tag: 1.0.0
License: GPL-2.0+
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Adds configurable HTTP security headers to every response — X-Frame-Options, CSP, HSTS, Referrer-Policy, and more.

== Description ==

Security Headers Manager lets you add and configure industry-standard HTTP response headers from a simple settings page — no server configuration files required. Headers are applied to the frontend via WordPress's `wp_headers` filter and to the REST API via the REST server's header API.

**Supported Headers:**

* **X-Frame-Options** — Prevent clickjacking (DENY / SAMEORIGIN)
* **X-Content-Type-Options** — Block MIME sniffing (nosniff)
* **X-XSS-Protection** — Legacy XSS filter control
* **Referrer-Policy** — Control how much referrer info is sent
* **Permissions-Policy** — Restrict browser features (camera, mic, geolocation, etc.)
* **Content-Security-Policy** — Restrict resource origins (custom value)
* **Strict-Transport-Security (HSTS)** — Force HTTPS (HTTPS sites only)
* **Cross-Origin-Opener-Policy** — Isolate browsing context

== Installation ==

1. Upload the `security-headers` folder to `/wp-content/plugins/`.
2. Activate through **Plugins**.
3. Go to **Settings → Security Headers** to configure.

== Frequently Asked Questions ==

= Will enabling CSP break my site? =
Possibly, if you use third-party scripts or inline styles. Start with a permissive policy and tighten gradually. Test on staging first.

= Should I enable HSTS? =
Only if your entire site is served over HTTPS. HSTS can lock out visitors from HTTP access for the duration of `max-age`.

= Do headers apply to admin pages? =
Only if you tick "Apply to Admin Area" in Settings.

== Changelog ==

= 1.0.0 =
* Initial release.
